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Object Computing Benefits 



And 



Productivity 

- Reusability 

- Maintainability 

- Extensibility 

Reliability 
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Object Computing Benefits 



* To Store Knowledge | 



But 



And 
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OS File Structures and Relational DBMS are Inadequate 

Purely Software-based Persistent Object Support 

- is inefficient, and 

- does not address multi-user access 



BiiN 



Object Computing Benefits 



* To Construct Secure Systems | 



But 



Requires Run-time Enforcement 

Current Hardware Architectures do not Support Efficient 
Fine-Grained Protection 
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Object Addressing and Protection 



Computational Model 



Type Manager Based Protection 



Inheritance 



Object Persistence 
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VLSI-Based 

Object Addressing and Protection 



Tag-Bit Access Descriptor 



Object is a Typed Memory Segment 

- From 64 to 4 gigabytes 

- If >4K bytes, then paged 

- up to 64M objects in virtual address space 

Object Accessed through Access Descriptor 

- AD is unforgeable (33rd bit) 

- AD is used just like a pointer - Access type in Ada 

Rights Determine Allowed Operations 



Object Index 



Rights 



Object 
Representation 



Rev. 1.0 
FJP 

Foil 6 



BUN 



Virtual Addressing 



66-bit 
Virtual Address 



Access Descriptor 



Object Index 



Object Index 



Rights 



Object Table 



Object Table Maps Virtual Addresses 
to Physical Addresses 



Offset 



Object Representation 



Offset 



64 bytes - 
4 gigabytes 
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Object Structure 



Tag-Bit Access Descriptor 



1 



Object Table 



Object Index 



Rights 



base address 

Entry ;;Size ! Object 
Type TyP e 



Object 
Representation 



Object Defined by Object Table Entry 

- Used for virtual to physical address translation 

- Visible to just OS memory manager 

- On-chip TLB (MMU) caches mapping information 

Translation is Independent of Execution Context 

- TLB not flushed on process switch 



Type Definition 
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Address Translation 



Object 
Table 



Dl 


PI 


PO 



Offset g b J ect + + . 
Representation 










Simple 

- 64 bytes to 4K bytes 

- 64 byte increments 



Page Table 



PI 



64 B- 
4 KB 







4KB 



Page Table 



Paged 

- 4K bytes to 4M bytes 

- 4K byte increments 







Directory 




Page Table 










| pi 


4KB 


IPO 


4KB 




64 B- 
4 KB 
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Bipaged 

- 4M bytes to 4G bytes 

- 4K byte increments 



UN™ 



Object Typing 
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• Object Types are Defined by Type 
Definition Objects (TDO) 

• Each Object Descriptor Contains an 
AD Pointing to the TDO of itsType 

• H/W recognized types: 

- Semaphores 

- Ports 

- Processes 

- Domains 
-TDOs 




Object Table 






! 








Base address 














S : :: Type AD 










T 










Type Definition Object 
Object (TDO) Representation 
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Representation Rights 



Tag-Bit Access Descriptor 



Object Index 


'a a 
% '$ 

llsacje 
Ffighfs 


r4p 

Rights 



32 31 



2 1 







Representation Rights Control Direct Access to Object 

- Read rights checked on Load instructions 

- Write rights checked on Store Instructions 

Rights Checking Occurs in Parallel with Address Translation 
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Topics 



Object Addressing and Protection 



Computational Model 



Type Manager Based Protection 



Inheritance 



Object Persistence 
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Simple Program Model 



Process State 




-{ 



30 29 



Address Space 
ADs 



Conventional Programs See Flat 32-bit Linear 
Address Space 

Each of 3 Regions is an Object 

Regular Call-Return Used for Procedure Calls 

Reserved Region is Processor-specific 



Data 



UiiMiiU^tti 



r 

Code 



Stack 



i 



System 



00000000. 



16 



40000000 



16 



80000000 



16 



cooooooo 



16 
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Extended Program Model 



System 



Objects 




Linear Address Space Can be Root of an Object Network 

- Interconnected by ADs 

- ADs used just like pointers 
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Multiple Address Spaces Per Process 



Data 



T 

Code 




i 



Stack 



Domain Object 



Call Domain 



subprogram number 



entry points 




Destination Address Space Defined by Domain Object 
Interdomain Call/Return Instructions 

- Linkage kept in process object 

- No implicit access between address spaces 

- Parameters may include ADs 

- Performance comparable to other architectures' supervisor calls 

No Limit on Number of Address Spaces per Process 



_TM 
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Closer Look At 
Call Domain 



Process 
Hash Table 



Subsystem ID 



Entry Points 




SubsystemJD Selects Stack from Process Object 

- Null: use caller's stack 

- World: use the default program stack 

- ID: A unique (named) stack is selected per process 
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Subsystem Based Protection 



Application 




Protected 
Subsystem 

(address space) 



@ Public 



O 



Interface 

(domain object) 



Private 
Modules 



BiiN/OS | 

Comm. 

Service 




Library 
Servioe 
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Subsystem Based Protection 
Benefits 



Reliability, Maintainability, and Extensibility Without 
Compromising Performance 

Increased Productivity in Integration and Test 

- Decompose application into protected subsystems 

- Since each subsystem is linked independently, turnaround time 
(recompile/relink) is faster 

- Since errors confined to subsystem, they are easier to find 

Increased Performance Without Compromising Security 

- Services can safely execute in user's process 

- Other architectures require separate process, which results in: 

- higher Invocation overhead 

- potential bottlenecks in symmetric multiprocessors 
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Topics 
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Object Addressing and Protection 



Computational Model 



• Type Manager Based Protection 



Inheritance 



Object Persistence 



BiiN 



Object-Oriented Design 



Define Abstract Data Type 
Define Set of Operations on Type 
Set of Operations form a Module 

Module Hides Implementation 

- Representation of data type 

- Operations (Algorithms) on data types 
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Mapping to Ada 



Object-oriented Design 


Maps to Ada Package 


• Define Abstract Data Type 


package Library_Service is 




type library_object is limited private; 


• Define Set of Operations on Type 


type library is access library_object; 




function Createjibrary return library; 


• Set of Operations form a Module 


procedure Store(Lib: library; 
Name: string; 




Data: text); 


• Module Hides Implementation 


• • • • 


- Representation of data type 


end Library_Service; 


- Operations (Algorithms) on data types 






package body Library_Service is 




- Contains Implementation 




- Hidden from users of package 
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Mapping To Architecture 



package Library_Service is 
type library_object is limited private; 
type library is access library_object; 
function Createjibrary return library; 
procedure Store(Lib: library; 

Name: string; 

Data: text); 



end Library_Service; 





Protected 
Subsystem 

(address space) 



<P) Public 







Runtime Protection of 

- Package body 

- Representaion of library objects 



Interface 

(domain object specified 
Ada package specification) 



Private 
Modules 

(internal Ada 
packages) 




Application 







Library 
Service 

■: : x'i*: : : : : : :v: : : : : : : : : : i 
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Principles Of 

Type Manager Based Protection 



Objects are Typed 

The X Service is the Type Manager (TM) for 
Objects of Type X 



Only TM X Can Access Representation of X Objects 



Applications Can Pass Around ADs (without 
Representation Rights) for X objects 

Anyone Can Create a New Object Type and TM 

BiiN/OS Provides Object Management Service 




$i$i$i 



*Ui*MU 



User 
Defined TM 



Object 
Service 
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Usage Rights 



Tag-Bit 



Access Descriptor 



Object Index 


ijsacje 
Fjighfs 


r4p 

Ricfits 



32 31 



Usage Rights are Interpreted 
and Checked By Object's TM 



2 1 



Examples 






TYPE 


USE 


MODIFY 


CONTROL 


FILE 


READ 


WRITE 


DELETE 


TDO 


CREATE 


AMPLIFY 


- 


DIRECTORY 


LIST 


STORE 


CHANGE A-LIST 


PROGRAM 


EXECUTE 


DEBUG 


DESTROY 


LIBRARY 


LOOKUP 


STORE 


LOCK 
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TM 



A TM Example Using Libraries 



Outline 

• Creation of the Library Type 

• Creating an Object of Type Library 

• User-Level Protection on Library Objects 

• Invoking the Lookup Procedure on a Library Object 
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Type Creation 



To Define a New Data Type, TM Creates a 
Type Definition Object (TDO) 

- AD to TDO is never given out 

- Usage Rights of that AD have TMjights semantics 

Create (use) right 
Amplify (modify) right 

Library Service 



TDO_AD 






TM rights 








Library 
TDO 
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Object Creation 



Library Service 



Application 



"CALL" 
Create Lib 



Greale Ob 



Application Cannot Create Library Object Directly 

- It cannot get AD with create rights for Library TDO 

Application Must Call Create_JJbrary Subprogram 
Call Requires AD for Library Service Domain Object 
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Object Creation (cont'd) 



Library Service Calls BiiN/OS Object Service 

- AD for Library TDO is passed 

- Object service checks for create_rights in AD 

Object Service Allocates Library Object 

- Returns AD with all rights to Library TM 



Library Service 



Create Lib 



TDO AD 



Createjights 




TDO_AD 


Object 
Service 






Allocate 






/AD | 




/ 




/ 






/ 






New 

Library 

Object 
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Object Creation (cont'd) 



Library TM 



Library Service Then 

- Initializes library object 

- Removes representation rights in 
AD (using restrict rights instruction) 

- Returns AD to application 

- Does NOT keep AD to library object 

Application Cannot Access 
Representation 

Application Controls Usage 
Rights to Just its Library Object 



Application 



"CALL" 
Create Lib 




u m c - - 





^^^^Bm 








\ umcrw 


\ 




\ 






New 

Library 

Object 
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Authority-List Determines Usage Rights 

Group ID 



User ID 



bob 



Identities 



I 



bob 



finance 



contracts 



world 



finance 
members w 



"Sales" 
Library 
Object 



y Authority List 






joe 


umc 


susan 


-m- 


finance 


u -- 


sales 


urn - 



Rev. 1 .0 
FJP 
Foil 30 




_TM 



Type Specific Operations 



Application has AD for Library Object 
with Just Use (Lookup) Rights 

Application Invokes List Subprogram 
Passing AD 




Library 
Service 



Library 
Object 




\ t urn — 





\r 



Library 
TDO 
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Type Specific Operations (cont'd) 



Application has AD for Library Object with Just 
use (lookup) Rights 



Application Invokes List Subprogram Passing AD 



Library Service Executes Amplify 
Instruction 

- Takes AD to-be-amplified and 
AD with Amplify (modify) rights 
for a TDO 

- Verifies type match 

- Adds representation rights 
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Type Specific Operations (cont'd) 



Application has AD for Library Object with Just 
use (lookup) Rights 

Application Invokes List Subprogram Passing 
AD 

Library Service Executes Amplify Instruction 

- Takes AD to-be-amplified and AD with 
Amplify (modify) rights for a TDO 

- Verifies type match 

- Adds representation rights 




Library 
Object 



Library 
Service 







u— rw 
















urn — 



Library Service Can Now Access 
Representation of Library Object 



Library 
TDO 



Rev. 1.0 
FJP 
Foil 33 




_TM 



Relationship To Security 



"The TCB shall be designed and structured to use a complete, 
conceptually simple protection mechanism with precisely defined 
semantics. This mechanism shall play a central role in enforcing the 
internal structuring of the TCB and the system. The TCB shall 
incorporate significant use of layering, abstraction and data hiding . " 

From the Orange Book (DOD 5200.28-STD) section 3.3.3.1 .1 , System 
Architecture for B3 level security 
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Relationship to Security (cont'd) 
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Corresponds to SAT Type Enforcement 

• Secure Ada Target 

• Extends Bell and LaPadula Model Beyond A1 

• NCSC/Honeywell Research 



"Domains are essentially a mechanism for encapsulating managers for 
different data types and transformations between data types. This 
provides a way to decompose the proof of security for the system into 
manageable pieces and to tailor the security policy for a system in an 
application dependent fashion. ... Thus, type enforcement is more 
than a mere convenience. It provides a way to unify the treatment of 
trusted subjects with that of generic untrusted subjects." 

From "Extending the Noninterference Version of MLS for SAT", IEEE 
Transactions on Soft. Eng. Feb. 1987. 
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Topics 



Object Addressing and Protection 



Computational Model 



Type Manager Based Protection 



Inheritance 



Object Persistence 
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Behavior Inheritance 



Multiple Implementations for Same Behavior 

Example 
Behavior 

Byte-Stream Access Method 

Implementations 

File, Pipe, Magtape, Terminal 

Implementation is Selected in Call Instruction Based on 
Type of Object 
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Application Independent of Implementation 



Behavior Specification 

Byte Stream AM 




Record AM 



Terminal AM 



BSAM 
open 
read 
write 



Record AM 

open 

read 

write 



INDEPENDENCE 



Ada Package Specification Specifies Behavior 
Provides Semantic Definition to Interface 
Services Provide Implementation (package body) 
New Behaviors can be Added 
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Call Vectoring 



Behavior Specification 



Byte Stream AM 



Service 
Implementation 




Record AM 






New AM 




Type of First Parameter Selects Implementation | 
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Implementation Selected by Object's Type 



Application 



Call Domain 
BS_.AM.Read 1 
(DevXAD, 



BS AM Behavior Domain 



BS AM ID 



Open 
Read 




TM Service 
Implementation 



Type X TDO 




DevX Objectf^^ 
TypeX 



Open 



Read 
"Write 



X's Domain 
Object 



BS AM ID 



REC AM ID 
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Behavior Inheritance Summary 



Dynamic Binding on Every Call Based on Type 

Old Program Binaries Work with New Implementations Without 
Even Relinking 

Call Behavior Instruction Same as Call Domain 

- Different effect due to difference in domain objects 

- Thus, invokable from any language 

Service Can Dynamically Add Implementations for New Behaviors 
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Topics 



Object Addressing and Protection 



Computational Model 



Type Manager Based Protection 



Inheritance 



Object Persistence 
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Object States 



Two object states: Passive and Active 
A Passivated Object is 

- Stored in permanent storage (disk) 

- Managed by Passive Store Management 

- Protected by Authority List 

An Activated Object is 

- Stored in virtual memory 

- Managed by object service 

- Protected by VLSI-based object addressing 
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Activation 



Implicit 

- Similar to VM fault 

- Rights in AD determined by authority-list 

Object Networks Can Cross Node 
Boundaries 



Authority 
List 




«.dW PASSIVE 
ACTIVE 



Object 
Activation 



Activated 
k Object 




Referenced 
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Passivation 



Explicit 

- Transaction-based for synchronization 
and recovery 

- Controlled by type manager to assure 
consistency 



Start_Transaction; 

Store("Foo", A_AD); 

Update(A_AD ); 

Update(B_AD ); 

Update(C_AD ); 
CommitJTransaction; 



Current Directory 








Default 




A_AD 


Too" 
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Transaction Concepts 



Properties 

- Atomicity 

- Synchronization 

- Integrity 

- Recoverability 



Objects Participate 
in a Transaction 





" ~ ~ mmm 


W 



Other 

Access 

Attempts 




LOCK 
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Transaction Service 
Embedded in BiiN/OS 



Transaction Service Acts as Coordinator 

Multiple Services Can Participate in Same Transaction 

- Files 

- Directories 

- Libraries 

Extendable to New Services 

Distributed 

- using 2-phase commit protocol 
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Distributed Optismitic Concurrency 



Time 



Passive 



© 



© 



© 



Agent X 
Access A 

A is activated 

Change A 
Update(A__AD) 



Active 



© 
© 



Agent Y 



Access A 

A is activated 

Change A 



Update(A_AD) 

Fails, Exception Raised 
Outdated object version 

Reset_Active_Version 

(A_AD) 
Change A 
Update(A_AD) 



© 
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Distributed Pessimistic Concurrency 



Start_Transaction; 
Reserve(A_AD); 

Synchronizes. Does Reset, if necessary. 

Change A 
Update(A_AD); 

Commit Transaction; 
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Persistent Object Summary 



Supports a Permanent Network of Distributed Typed Objects 

- Network can cross disk and node boundaries 

- Accessible independent of location 

Supports Concurrent Distributed Access 

- Based on transactions for synchronization and data integrity 

- Both optimistic and pessimistic synchronization are supported 

Activation is Implicit for Ease-of-use 
Passivation is Explicit for Data Integrity 
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Summary 
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